How to Delegate the Right to Unlock User Accounts

Friday, September 26, 2008


In order to delegate the right to unlock locked user accounts to a user or group in Active Directory, you first need to make the right visible in Active Directory Users and Computers (ADUC).

The %windir%\System32\dssec.dat file contains all the rights attributes that can be exposed in ADUC. These rights attributes are grouped under headings surrounded by square brackets, such as [user] or [computer]. Each attribute is assigned a value (filter) as follows:

0 - Read and Write is exposed
1 - Write is exposed
2 - Read is exposed
7 - Hide the attribute

To modify the filter, open dssec.dat in Notepad. Find the lockoutTime attribute under the [user] heading. Be careful to select the [user] heading, as there's another lockoutTime attribute under [computer]. Change the value of the filter from 7 to 0 (lockoutTime=0) and save the changes.

To delegate the right right to unlock user accounts in ADUC:
  1. Right-click the OU or domain in Active Directory Users and Computers and select Delegate Control from the context menu
  2. Click Next on the Welcome dialog
  3. Click Add to select the user or group and click OK
  4. Click Next
  5. Select Create a custom task to delegate and click Next
  6. Select Only the following objects in the folder. In the list, check User objects and click Next
  7. Clear the General checkbox and check the Property-specific box
  8. Check both the Read lockoutTime and Write lockoutTime boxes and press Next
  9. Click Finish

Note: You only need to edit the dssec.dat file on the computer where you are performing the delegation. You do not need to modify it from any other machine, including the one where the user administration will occur.

Read more ...
by at 3 comments:
Tags , ,

Getting NumLock to Stick

Sunday, September 21, 2008
Here's a tip on how to get the Num Lock key to stay on (or off) every time a user logs on.

Simply set the NumLock key to the desired status (on or off), press Ctrl-Alt-Delete (Ctrl-Alt-End in a Hyper-V guest, Ctrl-Alt-Ins in a VMware guest), and select Log off.

This will set the HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators to 0 (OFF) or 2 (ON), depending on your preference. The next time you logon, the NumLock setting will stick.
Read more ...
by at No comments:
Tags , , ,

First Ever EXPTA Hyper-V Contest Winner!

Wednesday, September 17, 2008

Congratulations to Thorsten Schuett in Berlin, Germany!


As the 100,000th visitor to my blog, Thorsten will receive a signed copy of my new book, "Windows Server 2008 Hyper-V Unleashed." This book represents our experience working with Hyper-V with our customers over a year before it was available to the public.


Thanks to all the entries I received. I appreciate the kind words and hope that you all find the information I provide in this blog useful.
Read more ...
by at No comments:
Tags ,

First Ever EXPTA Hyper-V Contest!

Friday, September 12, 2008

Sometime next week the EXPTA {blog} will get its 100,000th visitor.

To celebrate, I will send that lucky visitor a free copy of my new book, Windows Server 2008 Hyper-V Unleashed, anywhere in the world!

All you have to do is take a screenshot of the hit counter at the bottom of this blog and email it to me at jeff@expta.com, along with your name and address.

I get a lot of hits per day, most of them from Google searches, so it's very likely that the 100,000th visitor may not read this post. Because of this, I'll choose the winner whose entry is the closest to 100,000 from the first 10 entries I receive. The entry must show the bottom of the blog with a counter of at least 100,000 and must be submitted by September 22, 2008.

Of course, if you subscribe to this blog you'd be one of the first to learn about this contest!

Good Luck!
Read more ...
by at No comments:
Tags ,

Windows Server 2008 Hyper-V Unleashed

Wednesday, September 10, 2008
I'm very pleased to say that my new book, Windows Server 2008 Hyper-V Unleashed, has hit store shelves!

This book is a culmination of our experience deploying Hyper-V in enterprise organizations. And today, Microsoft's Virtualization Product Group featured it on their Virtualization Team Blog.

Coauthor Rand Morimoto and I are very pleased that this book has been released to coincide with Microsoft's official launch of Hyper-V this week.

Check out what's in the book at InformIT!
Read more ...
by at No comments:
Tags ,

Fallback Printer Drivers in RDP and Terminal Server Sessions

Friday, August 29, 2008

Microsoft Remote Desktop Connection provides the ability for users to use the printers installed on their local computer within a Terminal Server session. This behavior is enabled by default, and can be changed in MSTSC (the Remote Desktop Connection client) in Options, Local Resources tab, Printers.

In order for this to work, a printer driver must be installed on the Terminal Server that matches the driver installed on the local computer. This is problematic, since you can't always be sure which printer is installed on connecting computers. If there is no matching printer driver on the server, the user will be unable to print to that printer within the RDP session. You will also see an error in the System Event Log similar to the following when the user
logs into the Terminal Server:

Event Type: Error
Event Source: TermServDevices
Event Category: None
Event ID: 1111
Date: 7/8/2008
Time: 12:51:15 PM
User: N/A
Computer: HOFS01
Description:
Driver HP LaserJet 4250 PCL 5e required for printer !!SERVER1! NetPrinter2 is unknown. Contact the administrator to install the driver before you log in again.

To handle this issue without having to install tons of drivers on your server, you can tell the server to use a "fallback printer driver." If the exact driver is not installed, the server will offer a fallback PCL or PS driver (or both) to use instead. This is configured in Group Policy as shown below. Note that this requires Windows Server 2003 SP1 or later.

For Windows Server 2003, open Group Policy and navigate to Computer Settings, Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection, and configure the Configure Terminal Server Fallback Printer Driver Behavior option.

For Windows Server 2008, open Group Policy and navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, Terminal Services, Terminal Server, Printer Redirection and configure the Specify Terminal Server Fallback Printer Driver Behavior option.

Configure the Terminal Server Fallback Printer Driver Behavior to Enabled, Show both PCL and PS if one is not found, as shown below.

When a client logs into the Terminal Server, you will now see the following event in the System Event Log and the client will be able to use their printer.



Read more ...
by at 1 comment:
Tags , , , ,

Exchange Server Virtualization Support Policy Summary

Monday, August 25, 2008
Microsoft released their Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments document this month. I reviewed the support document and summarized the salient facts here.
Exchange 2007 Virtualization

Host Requirements:
  • A hypervisor virtualization solution that has been validated by the Windows Server Virtualization Validation Program
  • Adequate storage space to accommodate the host OS and components, paging file, management software and crash recovery (dump) files
  • Storage space must be allocated for Hyper-V temporary memory storage (BIN) files, equal to the amount of RAM allocated to each guest
Guest Requirements:
  • Exchange 2007 SP1 (or later) deployed on Windows Server 2008
  • Cannot have the Unified Messaging Role installed
  • The total maximum number of virtual processors cannot exceed the twice the number of physical cores.Typically 2 virtual processors are required for each Exchange server guest, but use this as a baseline
  • Large mailboxes (1GB and larger) require the use of Cluster Continuous Replication (CCR)
  • CCR nodes must be hosted on separate physical host servers to provide true redundancy and high availability
  • Mixing physical and virtual nodes is supported for CCR and SCC environments
  • Exchange supported backups must be run from the guest
  • Both legacy backups (using ESE streaming APIs) and Exchange-aware software-based VSS backups (Data Protection Manager) are supported
  • VSS backups of the an Exchange guest is supported if the guest uses only VHDs (not pass-through disks)
Guest Storage Requirements:
  • Supports fixed size VHDs, SCSI pass-through and iSCSI storage
  • Storage must be dedicated to one guest machine. In other words, a pass-through disk must be dedicated to one, and only one, guest.
  • Guest OS must use a minimum fixed-size VHD of 15GB plus the size of virtual RAM allocated to the guest
  • VHD limit is 2,040GB (nearly 2TB) in Hyper-V
  • Hub and Edge Transport servers require sufficient storage for message queues and log files
  • Mailbox servers require sufficient storage for databases and log files
  • iSCSI storage using an iSCSI initiator within the guest is supported. This offers greater portability, but decreased performance
Not Supported:
  • Dynamically expanding VHDs are not supported
  • Snapshots or differencing disks are not supported
  • Virtualization high availability solutions, such as Hyper-V Quick Migrations, are not supported. Only Exchange aware HA solutions (SCC, LCR, CCR and SCR) are supported.
  • VSS backups of the Exchange guest machine's pass-through disk from the host are not supported
Recommendations:
  • Storage should be hosted on separate disk spindles from the guest's OS
  • Use SCSI pass-through storage to host transport and mailbox databases and transaction logs
  • When using iSCSI storage, configure the iSCSI Initiator on the host and present it as a pass-through disk to the guest
  • Use dedicated NICs with jumbo frames and not bound to a Virtual Network Switch, Gigabyte Ethernet, and isolated networks for iSCSI storage
Exchange 2003 Virtualization

Host Requirements:
  • The hardware virtualization software is Microsoft Virtual Server 2005 R2 or any later version of Microsoft Virtual Server
Guest Requirements:
  • Exchange Server 2003 SP2 (or later)
  • Microsoft Virtual Server 2005 R2 Virtual Machine Additions must be installed on the guest operating system
  • Exchange Server 2003 is configured as a stand-alone server and not as part of a Windows failover cluster
  • Each guest must have only one CPU
Guest Storage Requirements:
  • The SCSI driver installed on the guest operating system is the Microsoft Virtual Machine PCI SCSI Controller driver
  • The virtual hard disk Undo feature is not enabled for the Exchange virtual machine
Recommendations:
  • Consider adding a dedicated virtual network adaptor for Exchange Server backups
  • Create separate fixed-size VHDs for Exchange Server databases and log files and store them on separate physical drives on the host
  • Exchange Server performance should be validated before production by using the Exchange Server 2003 Performance Tools
  • Make sure that the host server is sized correctly to handle the number of virtual machines that you plan to deploy
  • Use a storage solution that enables fast disk access
  • Antivirus programs should be configured to not scan VHD files
Read more ...
by at 1 comment:
Tags , , , ,
Subscribe to: Posts (Atom)